What Omitly does
Omitly performs true content removal at the object level of the ISO
32000 model, followed by structural sanitisation and independent
verification. In sequence:
1. Content-stream rewriting. Redacted regions are removed from
the content streams themselves — the text-showing and graphics operators for the
selected content are deleted, not painted over. There is no overlay, no
annotation, and no “hidden” layer; the black bar you see is a visual marker drawn
after the data is already gone, and it is optional. Where a redaction
region covers part of an image, the covered pixels are overwritten in place in
the decoded image data; an image Omitly cannot scrub with confidence (unusual
colour spaces, masks, exotic compression) is removed in its entirety rather than
partially cleaned. Anything the engine cannot provably cover — inline images, for
example — is flagged, and the operation reports failure rather
than passing silently.
2. Structural sanitisation. The output is written as a fully
rewritten document — a single revision with no incremental-update history.
Orphaned objects are dropped. XMP metadata, the document information dictionary
and application PieceInfo data are removed outright, and OCR/text
layers within redacted regions are deleted by the same content-stream rewriting
as visible text. Two scope limits, stated plainly: pre-existing embedded file
attachments and document JavaScript are not currently removed;
and form-field content is handled by detection, not deletion — a form-field
appearance stream under a redaction region causes the operation to report
failure rather than claim a clean result. The governing principle is
default-deny: no path Omitly cannot prove clean is ever reported as redacted.
3. Verification pass. Before Omitly reports success, it
independently re-parses the output file and checks every redacted region two
ways: geometrically (no text or image renders into the region) and at the byte
level (the removed content does not appear anywhere in the decompressed file). A
region passes only if both checks hold. This check is also available standalone:
our free leak checker can audit any
“redacted” PDF — including ones produced by other tools — and report whether
sensitive text survives beneath the redactions. It runs entirely in your browser;
nothing is uploaded.
4. Tamper-evident proof. Every redaction operation embeds an
audit report in the output and seals the result: an Ed25519 signature over the
whole delivered file (with SHA-256 content hashes), verified by
recomputation over the exact bytes the holder presents — one changed byte fails
it. The seal is an integrity mechanism, not an identity one: the signing key is
generated per install, so a valid seal proves the document has not been altered
since sealing, and the signer key fingerprint is surfaced for out-of-band
comparison — it does not by itself prove who produced the file. The certificate
records when the operation ran as reported by the device clock; it is not
independently timestamped. (If you add the optional digital signature, an RFC
3161 timestamp from a timestamp authority of your choice can be included; only a
hash of the document is sent.) The precise scope of what the seal does and does
not warrant is documented in our
public threat model.
Omitly produces a tamper-evident certificate that the redacted content is not
present in the output document and that the document has not been altered since.
This is a technical artifact about a single output file. It is not proof that
the information has been destroyed across your other records, drafts, email,
or backups, and it is not a determination that you have met any specific legal
obligation — that remains your responsibility and, where relevant, your lawyer's.